Thursday, October 8, 2009

EduRoam @ CBS - Quick guide for Snow Leopard

Following up on my more detailed and less automated guide for setting up EduRoam @ CBS, I found an easier way to get Snow Leopard hooked up to the EduRoam network.

This guide will show you how to connect to the EduRoam network, as you would with any other wireless network in OS X. For more background information on EduRoam see the previous mentioned guide.

Step 1: Connect using AirPort menubar icon

Click the AirPort menu bar icon, wait for the "eduroam" network to appear, click it to connect.

Step 2: Enter credentials

A credentials prompt should appear. Here you must enter your credentials for the school network.

For CBS students: Please note that these may not be equal to your sitescape credentials, but are equal to the credentials you use to access the school computers. If you didn't use the school computers to change your password previously, it will still be the one given to you at enrollment.

Step 3: It fails, but that's okay

At this point it might work for you, or it might not. In my case it didn't work, and the AirPort utility showed an exclamation mark to illustrate that you are connected but unable to get on the internet.

To fix this you'll need to verify your security settings. Click the "Open Network Preferences" item to continue.

Step 4: Advanced Wireless Settings

Make sure the "AirPort" network is highlighted from the left menu, and then click "Advanced" to open the advanced settings.

Step 5: Move TTLS to the top, disable others

Select the "802.1X" tab. Click-hold and drag the TTLS settings to the top of the list. Make sure all others are disabled. When you're done, your window should look like the one below.

Step 6: Configure TTLS

Make sure TTLS is highlighted and click "Configure".

Step 7: Choose PAP authentication

Select "PAP" from the drop down list.

Now return to the network preferences by clicking "OK" twice.

Step 8: Apply and connect

Click "Apply" and then click "Connect". Yes, you really need to click apply first.

You're done!
If you screen say "Authenticated via TTLS", everything works as it should.

If it doesn't work, it's likely that you are missing the required certificate, and for some reason Snow Leopard don't install it automatically. See the more detailed guide for steps to work around it. In step 9 from the detailed guide you'll download a certificate. You can try to correct the problem by double clicking the certificate file to install it.

If it still doesn't work try following the steps from the detailed guide.

I hope the ones that couldn't get my previous instructions to work, will have better luck with these.

If you have any questions, or suggestions please hit me in the comments.

Friday, September 11, 2009

EduRoam @ CBS - Mac OS X 10.6 guide

I've often wondered what the eduroam network is all about? The network frequently pops up when I'm at Copenhagen Business School, but since I couldn't connect to it I ignored it. I guess most students simply ignore it, and use the public WiFi with the html login (captive portal), provided by CBS.

The eduroam network is a international network which you can access as a student or teacher of a connected university. In addition to being able to connect to the eduroam network at any connected university (at least I'm told), it's also encrypted, which means users can't eavesdrop on your wireless traffic.
The eduroam network uses an extended authentication standard (802.1X). This additional layer of security makes it slightly more difficult to set up. Also it would seem that Snow Leopard makes it more difficult to use, since you are now required to manually import the certificate.

There was no guides for Snow Leopard provided by CBS, and most of the guides to other eduroam networks I could find, weren't updated for Snow Leopard yet. Having fiddled with the settings for some time before getting it to work, I thought; I might as well create a guide, and upload it as my first post on this blog, hoping someone will find it useful.

You poor windows users can find guides for CBS eduroam at e-campus or generic ones at in (danish).

The guide for Snow Leopard follow below.

Step 1: Network preferences
Click-and-hold the apple icon at the upper left corner of the screen, and select "System Preferences" from the dropdown list. From there click the network icon as shown above.
Step 2: Advanced AirPort settings

Select the "AirPort" interface from the list, and click the "Advanced" button.

 Step 3: Add 802.1X user profile
Click on the 802.1X tab, then click on the "+" button to add a new profile. Select "Add User Profile" from the list and name it.

Step 4: Enter credentials
Enter your credentials for the eduroam network. My username is Then select or enter "eduroam" from the "Wireless Network" dropdown.

Step 5: Enable TTLS

Make sure TTLS is enabled and at the top of the list. It should be by default, but if not click the box and drag it to the top of the list. Disable PEAP. Then click "Configure"

Step 6: Set outer-identity

Select PAP as the inner authentication and enter the outer identity. This could be identical to your username or something else. "" worked for me, but I'm not sure it's necessary.

Step 7: Configure Trust
This part is different from other guides. In most other guides OS X simply imports the correct certificate after prompting you to accept it. I seems this has changed in Snow Leopard, and is replaced by a "Configure Trust" button, which was missing in some other guides.
Step 8: Add trusted server
First click the "Servers" tab, then click the "+" button to add a new trusted server. For CBS students enter "", but don't click "OK" yet. Others might try to skip this step.

Step 9: Add certificate
This next step is a bit odd. Either I simply got something wrong, or there is a small blunder in the User Interfaces for this part.
For Snow Leopard, you need to manually add the "Equifax Secure Certificate Authority" certificate to your list of trusted certificates. The above direct link goes to the page You should really only add cerficates you really trust. You can trust the geotrust certificate, but that is really something you should decide yourself.

So download the certificate file linked above (right click and use "Save link as"), and save it somewhere you can find it again. I saved it on my desktop.

Click the "Certificates" tab. Then click the "+" button and select "Select Certificate File" from the list. An open dialog will appear.

Step 10: Select downloaded certificate
Select the downloaded certificate file from the list (step 9), and then click "Open". When you click the "Open" button it might not show up on the trusted certificates list, but hopefully it will be added anyway.

You might also try double clicking the downloaded file to import it into your system.

Step 11: Connect to eduroam via 802.1X
Click OK to the two previous windows, and you should be back at the network settings dialogue. Click the "Connect" button to attempt a connection to the eduroam network. You'll obviously need to be in range of an eduroam hotspot.

Step 12: Complete
If you see a message containing the text "Authenticated via TTLS" you're done. If nothing happens it's likely due to the certificate missing. Review step 9, and try double clicking the certificate file to import it. If that doesn't work, try clicking the "Select Certificate From Keychain" and selecting the "Equifax Secure Certificate Authority" from the Keychain certificate store.

For advanced users, you can use the "Console" application to view debugging info. Click cmd-spacebar to open Spotlight and type "Console". Select the log "Database Searches" > "All messages" and search for "eapolclient". If you see the message "eapttls_verify_server: server certificate not trusted, status 6 0" the certificate is not imported correctly. Recheck steps 9 and 10.

I hope this guide will be helpful to the few users with general 802.1X + Snow Leopard problems, for eduroam users, or CBS students.

If you have any questions, or suggestions please hit me in the comments.